Open spring-projects-issues opened 7 years ago
Oliver Drotbohm commented
Thanks, Javier. That looks decent. Rob Winch — Would you mind having a brief look?
Rob Winch commented
This looks like an improvement. It is important to keep in mind that the CSRF token is typically stored in a cookie which is HttpOnly to be as secure as possible by default. This means that this code will not work with the default settings.
Javier Alejandro Miño commented
This repository shows an example of this issue: https://github.com/javiersvg/hal-browser-zuul-issue-demo
This repository has a branch named DATAREST-980 branch with the proposed solution applied.
I am not sure what you mean by default settings but let me know if there is any information that I can provide that might help you with this
Javier Alejandro Miño opened DATAREST-980 and commented
When I run the HAL browser behind a Zuul proxy that has a csrf protection the post request fail due to the following:
This should be very easy to solve by adding to CustomPostForm.js the capabilitie to send a header ``` X-XSRF-TOKEN
Affects: 2.5.6 (Hopper SR6)
Referenced from: pull request https://github.com/spring-projects/spring-data-rest/pull/253